From d0bf638a21f73ef433963c56d718690e9e6745c0 Mon Sep 17 00:00:00 2001
From: sam <sam@vulpine.solutions>
Date: Sat, 23 Nov 2024 20:40:09 +0100
Subject: [PATCH] fix: check for obviously invalid instance URLs, use correct
 JSON key for mastodon scopes

---
 .../Authentication/FediverseAuthController.cs |  4 +++-
 .../Auth/FediverseAuthService.Mastodon.cs     | 24 ++++++++++++-------
 2 files changed, 18 insertions(+), 10 deletions(-)

diff --git a/Foxnouns.Backend/Controllers/Authentication/FediverseAuthController.cs b/Foxnouns.Backend/Controllers/Authentication/FediverseAuthController.cs
index 43a2955..8dca588 100644
--- a/Foxnouns.Backend/Controllers/Authentication/FediverseAuthController.cs
+++ b/Foxnouns.Backend/Controllers/Authentication/FediverseAuthController.cs
@@ -6,7 +6,6 @@ using Foxnouns.Backend.Utils;
 using Microsoft.AspNetCore.Mvc;
 using Microsoft.EntityFrameworkCore;
 using NodaTime;
-using FediverseAuthService = Foxnouns.Backend.Services.Auth.FediverseAuthService;
 
 namespace Foxnouns.Backend.Controllers.Authentication;
 
@@ -25,6 +24,9 @@ public class FediverseAuthController(
     [ProducesResponseType<FediverseUrlResponse>(statusCode: StatusCodes.Status200OK)]
     public async Task<IActionResult> GetFediverseUrlAsync([FromQuery] string instance)
     {
+        if (instance.Any(c => c is '@' or ':' or '/') || !instance.Contains('.'))
+            throw new ApiError.BadRequest("Not a valid domain.", "instance", instance);
+
         var url = await fediverseAuthService.GenerateAuthUrlAsync(instance);
         return Ok(new FediverseUrlResponse(url));
     }
diff --git a/Foxnouns.Backend/Services/Auth/FediverseAuthService.Mastodon.cs b/Foxnouns.Backend/Services/Auth/FediverseAuthService.Mastodon.cs
index 139830b..665e07f 100644
--- a/Foxnouns.Backend/Services/Auth/FediverseAuthService.Mastodon.cs
+++ b/Foxnouns.Backend/Services/Auth/FediverseAuthService.Mastodon.cs
@@ -1,3 +1,4 @@
+using System.Diagnostics.CodeAnalysis;
 using System.Net;
 using System.Web;
 using Foxnouns.Backend.Database;
@@ -17,16 +18,13 @@ public partial class FediverseAuthService
         Snowflake? existingAppId = null
     )
     {
-        var resp = await _client.PostAsync(
+        var resp = await _client.PostAsJsonAsync(
             $"https://{instance}/api/v1/apps",
-            new FormUrlEncodedContent(
-                new Dictionary<string, string>
-                {
-                    { "client_name", $"pronouns.cc (+{_config.BaseUrl})" },
-                    { "redirect_uris", MastodonRedirectUri(instance) },
-                    { "scope", "read:accounts" },
-                    { "website", _config.BaseUrl },
-                }
+            new CreateMastodonApplicationRequest(
+                ClientName: $"pronouns.cc (+{_config.BaseUrl})",
+                RedirectUris: MastodonRedirectUri(instance),
+                Scopes: "read read:accounts",
+                Website: _config.BaseUrl
             )
         );
         resp.EnsureSuccessStatusCode();
@@ -237,9 +235,17 @@ public partial class FediverseAuthService
     private static string MastodonCurrentAppUri(string instance) =>
         $"https://{instance}/api/v1/apps/verify_credentials";
 
+    [SuppressMessage("ReSharper", "ClassNeverInstantiated.Local")]
     private record PartialMastodonApplication(
         [property: J("name")] string Name,
         [property: J("client_id")] string ClientId,
         [property: J("client_secret")] string ClientSecret
     );
+
+    private record CreateMastodonApplicationRequest(
+        [property: J("client_name")] string ClientName,
+        [property: J("redirect_uris")] string RedirectUris,
+        [property: J("scopes")] string Scopes,
+        [property: J("website")] string Website
+    );
 }